API Reference

Zero Trust

Devices

Policies

Custom

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Create a device settings profile

POST/accounts/{account_id}/devices/policy

Creates a device settings profile to be applied to certain devices matching the criteria.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Zero Trust Write

Path ParametersExpand Collapse

account_id: string

Body ParametersJSONExpand Collapse

match: string

The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version".

maxLength500

name: string

The name of the device settings profile.

maxLength100

precedence: number

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

allow_mode_switch: optional boolean

Whether to allow the user to switch WARP between modes.

allow_updates: optional boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: optional boolean

Whether to allow devices to leave the organization.

auto_connect: optional number

The amount of time in seconds to reconnect after having been disabled.

captive_portal: optional number

Turn on the captive portal after the specified amount of time.

description: optional string

A description of the policy.

maxLength500

disable_auto_fallback: optional boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: optional boolean

Whether the policy will be applied to matching devices.

exclude: optional array of SplitTunnelExclude

List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress = object { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost = object { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips: optional boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

include: optional array of SplitTunnelInclude

List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress = object { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost = object { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

lan_allow_minutes: optional number

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: optional number

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

register_interface_ip_with_dns: optional boolean

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: optional boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: optional object { mode, port }

mode: optional string

The mode to run the WARP client under.

port: optional number

The port number when used with proxy mode.

support_url: optional string

The URL to launch when the Send Feedback button is clicked.

switch_locked: optional boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

tunnel_protocol: optional string

Determines which tunnel protocol to use.

ReturnsExpand Collapse

errors: array of ResponseInfo { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

messages: array of ResponseInfo { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

result: SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 24 more }

allow_mode_switch: optional boolean

Whether to allow the user to switch WARP between modes.

allow_updates: optional boolean

Whether to receive update notifications when a new version of the client is available.

allowed_to_leave: optional boolean

Whether to allow devices to leave the organization.

auto_connect: optional number

The amount of time in seconds to reconnect after having been disabled.

captive_portal: optional number

Turn on the captive portal after the specified amount of time.

default: optional boolean

Whether the policy is the default policy for an account.

description: optional string

A description of the policy.

maxLength500

disable_auto_fallback: optional boolean

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

enabled: optional boolean

Whether the policy will be applied to matching devices.

exclude: optional array of SplitTunnelExclude

List of routes excluded in the WARP client's tunnel.

One of the following:

TeamsDevicesExcludeSplitTunnelWithAddress = object { address, description }

address: string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesExcludeSplitTunnelWithHost = object { host, description }

host: string

The domain name to exclude from the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

exclude_office_ips: optional boolean

Whether to add Microsoft IPs to Split Tunnel exclusions.

fallback_domains: optional array of FallbackDomain { suffix, description, dns_server }

suffix: string

The domain suffix to match when resolving locally.

description: optional string

A description of the fallback domain, displayed in the client UI.

maxLength100

dns_server: optional array of string

A list of IP addresses to handle domain resolution.

gateway_unique_id: optional string

include: optional array of SplitTunnelInclude

List of routes included in the WARP client's tunnel.

One of the following:

TeamsDevicesIncludeSplitTunnelWithAddress = object { address, description }

address: string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

TeamsDevicesIncludeSplitTunnelWithHost = object { host, description }

host: string

The domain name to include in the tunnel. If host is present, address must not be present.

description: optional string

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

lan_allow_minutes: optional number

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

lan_allow_subnet_size: optional number

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

match: optional string

The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version".

maxLength500

name: optional string

The name of the device settings profile.

maxLength100

policy_id: optional string

maxLength36

precedence: optional number

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

register_interface_ip_with_dns: optional boolean

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

sccm_vpn_boundary_support: optional boolean

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

service_mode_v2: optional object { mode, port }

mode: optional string

The mode to run the WARP client under.

port: optional number

The port number when used with proxy mode.

support_url: optional string

The URL to launch when the Send Feedback button is clicked.

switch_locked: optional boolean

Whether to allow the user to turn off the WARP switch and disconnect the client.

target_tests: optional array of object { id, name }

id: optional string

The id of the DEX test targeting this policy.

name: optional string

The name of the DEX test targeting this policy.

tunnel_protocol: optional string

Determines which tunnel protocol to use.

success: true

Whether the API call was successful.

Create a device settings profile

HTTP

HTTP

TypeScript

Python

Go

Terraform

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    -d '{
          "match": "identity.email == \\"test@cloudflare.com\\"",
          "name": "Allow Developers",
          "precedence": 100,
          "allow_mode_switch": true,
          "allow_updates": true,
          "allowed_to_leave": true,
          "captive_portal": 180,
          "description": "Policy for test teams.",
          "disable_auto_fallback": true,
          "enabled": true,
          "exclude_office_ips": true,
          "lan_allow_minutes": 30,
          "lan_allow_subnet_size": 24,
          "register_interface_ip_with_dns": true,
          "support_url": "https://1.1.1.1/help",
          "switch_locked": true,
          "tunnel_protocol": "wireguard"
        }'

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "allow_mode_switch": true,
    "allow_updates": true,
    "allowed_to_leave": true,
    "auto_connect": 0,
    "captive_portal": 180,
    "default": false,
    "description": "Policy for test teams.",
    "disable_auto_fallback": true,
    "enabled": true,
    "exclude": [
      {
        "address": "192.0.2.0/24",
        "description": "Exclude testing domains from the tunnel"
      }
    ],
    "exclude_office_ips": true,
    "fallback_domains": [
      {
        "suffix": "example.com",
        "description": "Domain bypass for local development",
        "dns_server": [
          "1.1.1.1"
        ]
      }
    ],
    "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
    "include": [
      {
        "address": "192.0.2.0/24",
        "description": "Include testing domains in the tunnel"
      }
    ],
    "lan_allow_minutes": 30,
    "lan_allow_subnet_size": 24,
    "match": "identity.email == \"test@cloudflare.com\"",
    "name": "Allow Developers",
    "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "precedence": 100,
    "register_interface_ip_with_dns": true,
    "sccm_vpn_boundary_support": false,
    "service_mode_v2": {
      "mode": "proxy",
      "port": 3000
    },
    "support_url": "https://1.1.1.1/help",
    "switch_locked": true,
    "target_tests": [
      {
        "id": "id",
        "name": "name"
      }
    ],
    "tunnel_protocol": "wireguard"
  },
  "success": true
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "allow_mode_switch": true,
    "allow_updates": true,
    "allowed_to_leave": true,
    "auto_connect": 0,
    "captive_portal": 180,
    "default": false,
    "description": "Policy for test teams.",
    "disable_auto_fallback": true,
    "enabled": true,
    "exclude": [
      {
        "address": "192.0.2.0/24",
        "description": "Exclude testing domains from the tunnel"
      }
    ],
    "exclude_office_ips": true,
    "fallback_domains": [
      {
        "suffix": "example.com",
        "description": "Domain bypass for local development",
        "dns_server": [
          "1.1.1.1"
        ]
      }
    ],
    "gateway_unique_id": "699d98642c564d2e855e9661899b7252",
    "include": [
      {
        "address": "192.0.2.0/24",
        "description": "Include testing domains in the tunnel"
      }
    ],
    "lan_allow_minutes": 30,
    "lan_allow_subnet_size": 24,
    "match": "identity.email == \"test@cloudflare.com\"",
    "name": "Allow Developers",
    "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "precedence": 100,
    "register_interface_ip_with_dns": true,
    "sccm_vpn_boundary_support": false,
    "service_mode_v2": {
      "mode": "proxy",
      "port": 3000
    },
    "support_url": "https://1.1.1.1/help",
    "switch_locked": true,
    "target_tests": [
      {
        "id": "id",
        "name": "name"
      }
    ],
    "tunnel_protocol": "wireguard"
  },
  "success": true
}